From b4a4e7ccdca70bc6789bb24e3b59c153513f44b9 Mon Sep 17 00:00:00 2001
From: Chuck McCallum <mccallucc@gmail.com>
Date: Thu, 22 Jan 2026 15:55:48 -0500
Subject: [PATCH] html escape user-provided text

---
 dp_wizard/shiny/panels/results_panel/__init__.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/dp_wizard/shiny/panels/results_panel/__init__.py b/dp_wizard/shiny/panels/results_panel/__init__.py
index 200e356a..8775a676 100644
--- a/dp_wizard/shiny/panels/results_panel/__init__.py
+++ b/dp_wizard/shiny/panels/results_panel/__init__.py
@@ -1,3 +1,4 @@
+import html
 import re
 from pathlib import Path
 from shutil import make_archive
@@ -372,7 +373,11 @@ def notebook_py():
             return "raise Exception('qa_mode!')"
         return NotebookGenerator(
             analysis_plan(),
-            input.custom_download_note(),
+            # The custom download note is inserted as a comment,
+            # and jupytext copies it verbatim to a markdown cell,
+            # and nbconvert does not sanitize MD before converting to HTML.
+            # Sanitizing HTML would be more complicated, and potentially lossy.
+            html.escape(input.custom_download_note(), quote=False),
         ).make_py()
 
     @reactive.calc